2.2.4.7.2.10 Ensure 'Require that application add-ins are signed by Trusted Publisher' is set to 'Enabled'

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

This policy setting controls whether add-ins for the specified Office applications must be digitally signed by a trusted publisher.

The recommended state for this setting is: Enabled.

Rationale:

By default, Office applications do not check the digital signature on application add-ins before opening them. Not configuring this setting may allow an application to load a dangerous add-in and as a result, malicious code could become active on a user's computer or the network.

Impact:

This setting could cause disruptions for users who rely on add-ins that are not signed by trusted publishers. These users will either have to obtain signed versions of such add-ins or stop using them.

Office stores certificates for trusted publishers in the trusted publisher store. Earlier versions of Office stored trusted publisher certificate information (specifically, the certificate thumbprint) in a special Office trusted publisher store. Office still reads trusted publisher certificate information from the Office trusted publisher store but does not write information to this store.

If a list of trusted publishers in a previous version of Office was created and upgrade the Office release, the trusted publisher list will still be recognized.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled.

User Configuration\Administrative Templates\Microsoft Excel 2016\Excel Options\Security\Trust Center\Require that application add-ins are signed by Trusted Publisher

Default Value:

Disabled. (Excel does not check for digital signatures in add-ins.)

See Also

https://workbench.cisecurity.org/files/4234